Wanzhou WOES Intelligent Optimization Energy Saving System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in Wanzhou WOES Intelligent Optimization Energy Saving System version 1.0. The issue resides in the Energy Overview Module, specifically within the CreateFunctionLog interface. The vulnerability is triggered by manipulating the MM_MenID parameter, allowing remote attackers to inject malicious SQL commands. Exploitation of this vulnerability could lead to unauthorized access to sensitive data in the database.

Impact

Exploitation of this vulnerability allows for SQL injection, which could be used to manipulate database queries, potentially leading to unauthorized data access or modification.

Reproduction

The vulnerability can be reproduced by sending a request to the CreateFunctionLog interface of the Energy Overview Module with a crafted MM_MenID parameter that includes SQL injection payloads. This can be done remotely, and the injection point has been confirmed to work by bypassing authentication as the 'db0' user.